The Netherlands has taken down what authorities say was one of the largest botnets in recent years, a criminal network that controlled more than 17 million infected devices worldwide. The operation, carried out by the National Police of the Netherlands and the National Cyber Security Centre (NCSC), targeted a proxy network used for spam, phishing, and DDoS attacks.
The proxy botnet was managed through roughly 200 servers hosted in Dutch data centers. Authorities say the takedown disrupted the network, but the investigation is still ongoing and no suspects have been named.
How the proxy botnet was exposed
The investigation began after a cybersecurity expert flagged suspicious activity in a large proxy-server network to the NCSC. Investigators then found that the botnet’s infrastructure was being managed through roughly 200 servers hosted in Dutch data centers.
During the operation, some equipment was seized, and hosting providers disconnected servers tied to the network. The authorities did not name any suspects, and the investigation is still ongoing.
What infected devices were used for
According to investigators, the network was used for phishing, large-scale spam campaigns, and DDoS attacks against online services. Infected machines were also used as proxy nodes, hiding the attackers’ location and making the traffic look legitimate.
- 17 million infected devices controlled worldwide
- About 200 servers used to manage the infrastructure
- Used for phishing, spam, and DDoS attacks
- Linked in local reporting to the ASOCKS proxy service
Why proxy botnets are hard to police
Local reporting says the network may have been connected to ASOCKS, a service that sells proxies based on IP addresses from ordinary household devices. That kind of setup is a gift to criminals and a headache for defenders, because traffic from a home router is much harder to separate from normal web activity than traffic from a shady server rack in a basement somewhere.
The NCSC said these botnets pose a serious threat to companies and everyday users alike. Its advice is the usual but still ignored: update software, replace default router and smart-device passwords, and turn on two-factor authentication.
What happens after the takedown
The network is now disrupted, but this kind of operation rarely ends the story. Botnet operators often rebuild on fresh infrastructure, which means the real test is whether law enforcement can turn a cleanup into arrests, or whether this becomes another expensive pause button for the same criminal business.